obPedantry
Stolen cert? I think you mean stolen key.
There's nothing secret about an X.509 certificate.
Posts by Mr Spuratic
14 publicly visible posts • joined 11 Nov 2010
Leaked stolen Nvidia key can sign Windows malware
Take the bus... to get some new cables: Raspberry Pi 4s are a bit picky about USB-Cs
100MW bit barn farm in Ireland faces planning appeal from – yep – same guy who helped sink Apple's application
Tuesday 26th March 2019 16:28 GMT
flapdoodle
All of which is easily disproved by Eirgrid's "All-Island Generation Capacity Statement 2016-2025", the 206 page Environmental Impact Statement which includes Flood Risk analysis (its proximity to the river makes that mandatory in Wicklow), and the 520MW expansion to the Arklow wind farm.
The main source of waste heat appears to be McDonagh himself.
The site happens to have 100MW capacity, the data center design peak load is 60MW according to the application. How exactly does one heat 312,000 homes (with <200W each) in a county with 50,000 homes?
Apple's fruitless rootless security broken by code that fits in a tweet
Wednesday 30th March 2016 17:57 GMT
Re: Question
Yes, there is no pipe.
1&>- causes FD 1 (stdout) to be closed, but not to save the user from noise, this is setuid hacking 101. With FD 1 closed, the next call to fopen() will reuse the now freed up FD 1, so output intended for the user will instead end up in the opened file (disk device), effectively junking it. See pages 53-57 of Esser's paper linked from the article.
(The "[n]>&word" form is for duplicating FDs, with "-" as special case for closing the FD.)
Google's SHA-1 snuff plan is catching up with Microsoft, Mozilla
Tuesday 22nd December 2015 15:59 GMT
Re: Technical pedantry
Yes, unqualified "brute force" is not the proper term here, I mean the (probably) expensive computation involved in attacks similar to that you describe. This will be by definition better than exhaustive brute force, if and when the cat is let out of the bag.
Since the collision attack you describe was used in the 2009 hashclash MD5 attack it is no longer as trivial, CAs must use random serial numbers. My understanding is that further increasing signing-time entropy would have provided continued protection, which is why I'm hoping Santa Claus will bring a second-preimage attack this year.
Tuesday 22nd December 2015 12:58 GMT 
Technical pedantry
SHA-1 is not a hash and a cipher, it is only the former.
It is not universally being snuffed out, yet (witness its continued existence in TLS ciphersuites for integrity checking, and as a HMAC).
The issue here is that its use in certificate signatures (sha1WithRSAEncryption) does not offer the required safety margin for something that is effectively a long term credential. Or more precisely it can probably be brute forced for a moderate outlay within its validity period.
Facebook farewells flaky SHA-1
Wednesday 3rd June 2015 11:54 GMT
Crypto pedantry
Both articles conflate two distinct uses of SHA-1. The CAB Forum are largely concerned with SHA-1 as used in certificate signatures (formally sha1WithRSAEncryption). Separately, SHA-1 or SHA-2 are used in a TLS cipher as a message authentication code (or more correctly, HMAC). HMAC-SHA1, like other HMACs, is not susceptible to collision attacks. That said, RFC 7525 recommends only SHA-2 using ciphers, but leaves SHA-1 using ciphers unchanged (and still mandatory for interop).
https://tools.ietf.org/html/rfc7525
Get coding or you'll bounce email from new dot-thing domains
Friday 16th January 2015 12:58 GMT
Re: DNS and hyphens
I'm talking about ASCII 0x2D, strictly IA5 "hyphen (minus)", informally "dash", and what's allowed in the "ASCII" subset letter-digit-hyphen, as historically used in DNS labels. A feature of IDN, which presumably justifies its complexity, is that it is backward compatible with this (ignoring the fact that a label is simply an octet sequence and technically need not be 7 bit ASCII).
One (my) interpretation of the above statement from the article is that the hyphen/dashes in the ACE "xn--" prefix or separator are going to cause problems. The encoded value cannot contain either a leading or trailing hyphen/dash (see RFC 3492 section 5), so where's the new problem?
There are other far less plausible (to me) interpretations, possibly involving systems that decode IDNs and reject dashes for some reason.
FWIW, valid IDN encompasses a large subset of Unicode, including all the dashes you might need or want. Further reading: Unicode Consortium IDN FAQ, reports TR36 & TR46, and the IDNA2008 RFCs 5890-5894 (get cracking, it's less than 5 hours until beer o'clock, this will be on the test ;-)
Thursday 15th January 2015 13:43 GMT
DNS and hyphens
I'm having difficulty with the intent of this statement:
"[...] systems will often simply reject emails that don't work within the old DNS model - refusing to allow dashes for example."
The dash/hyphen has been allowed in DNS labels since forever (RFC882, 1983), the ACE form of an IDN breaks no new ground here. I've been involved in email administration for many a year, and I can't say I remember a single incident where a (valid) hyphen in a domain caused a problem. Hard-coded TLD "validation" or logic is a different problem.
Also, the IETF Email Address Internationalization working group and RFC6530 (and friends) seems to have escaped mention.
Thursday 15th January 2015 11:31 GMT
Re: Gmail?
Sub-addressing, sendmail calls it "plus addressing", it's been around since at least sendmail 8.36 (early 1993) this is far from a Googlism. The RFC821 spec for the "local part" to the left of the @ is surprisingly loose, and most systems will choke on one thing or another.
http://en.wikipedia.org/wiki/Email_address#Address_tags
systemd row ends with Debian getting forked
Thanks for nothing, OpenSSL, grumbles stonewalled De Raadt
Friday 6th June 2014 14:29 GMT
Re: Theo's previous response when asked if he'd like to be on a mailing list
https://plus.google.com/+MarkJCox/posts/L8i6PSsKJKs
OpenSSL's timeline, that list was notified on 2014-06-02.
OpenSSLs "official reason" for this is there too, it's because
they're not on os-distros, see MarkJCox's post @08:53.
(and there's a fine flame war in the comments there too)
Meantime, Theo cranks it up a gear [NSFW] in openbsd-misc@
http://marc.info/?l=openbsd-misc&m=140202938032160&w=2
German 'hacker' uses rented computing to crack hashing algorithm
Friday 19th November 2010 12:47 GMT
Neat hack, misleading headline
SHA-1 wasn't designed to be slow, it was designed to be "cryptographically secure". This is why proper password implementations which use any type of hashing have multiple rounds and salt ("PBKDF" and "password strengthening" are terms associated with these).
Read http://www.akkadia.org/drepper/SHA-crypt.txt for a real password implementation (which uses SHA-2 rather than SHA-1, but the principle is the same).
5000 rounds + 16 characters of salt makes brute-force a *lot* harder. Approx 2^108 times harder, if you don't have the salt, and only ~2^12 if you do (making a 2 hour exercise into a ~12 month exercise). I've read the results, the input file had one hash round.
I see a neat hack (nicely documented too) showing what you can do with EC2, and a misleading headline... "crack sha-1 hashes" != "crack sha-1 hashing"
Wake me up when someone uses EC2 to find useful SHA-1 collisions :)
How I built a zero energy cost, zero carbon home server
Thursday 11th November 2010 16:18 GMT 
Sheeva plug
The Sheevaplug can push the USB to 750mA, above the 500mA per-spec. I run a 500GB Toshiba bus-powered disk directly on mine. I understand it's the startup current which is usually the issue, rather than normal running.
I get the odd glitch (all clear for ~5 months now) which I'd always put down to brownouts. Disk momentarily disconnects and reconnects.
However, many people report PSU issues (the melty or magic-smoke types) with these, and bus-powered drives are implicated.
Biting the hand that feeds IT
